From a57445c364923ede362c063f04ef4d6ed313e915 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Thu, 2 Aug 2018 19:40:43 +0200 Subject: [PATCH] kubernetes-ca role refactoring --- roles/kubernetes-ca/defaults/main.yml | 185 ++++++++--------- roles/kubernetes-ca/tasks/main.yml | 186 +++--------------- ...erver-config.json.j2 => ca-config.json.j2} | 4 +- .../templates/ca-etcd-config.json.j2 | 18 -- .../templates/ca-etcd-csr.json.j2 | 16 -- .../templates/ca-k8s-apiserver-csr.json.j2 | 16 -- .../templates/cert-admin-csr.json.j2 | 16 -- .../templates/cert-etcd-csr.json.j2 | 16 -- .../templates/cert-k8s-apiserver-csr.json.j2 | 16 -- .../cert-k8s-controller-manager-csr.json.j2 | 16 -- ...cert-k8s-controller-manager-sa-csr.json.j2 | 16 -- .../templates/cert-k8s-proxy-csr.json.j2 | 16 -- .../templates/cert-k8s-scheduler-csr.json.j2 | 16 -- .../templates/cert-worker-csr.json.j2 | 14 +- roles/kubernetes-ca/templates/csr.json.j2 | 16 ++ 15 files changed, 137 insertions(+), 430 deletions(-) rename roles/kubernetes-ca/templates/{ca-k8s-apiserver-config.json.j2 => ca-config.json.j2} (70%) delete mode 100644 roles/kubernetes-ca/templates/ca-etcd-config.json.j2 delete mode 100644 roles/kubernetes-ca/templates/ca-etcd-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/ca-k8s-apiserver-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/cert-admin-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/cert-etcd-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/cert-k8s-apiserver-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/cert-k8s-controller-manager-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/cert-k8s-controller-manager-sa-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/cert-k8s-proxy-csr.json.j2 delete mode 100644 roles/kubernetes-ca/templates/cert-k8s-scheduler-csr.json.j2 create mode 100644 roles/kubernetes-ca/templates/csr.json.j2 diff --git a/roles/kubernetes-ca/defaults/main.yml b/roles/kubernetes-ca/defaults/main.yml index 50a6098..7b3d9a5 100644 --- a/roles/kubernetes-ca/defaults/main.yml +++ b/roles/kubernetes-ca/defaults/main.yml @@ -8,110 +8,93 @@ k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}" k8s_ca_certificate_owner: "root" k8s_ca_certificate_group: "root" -# Expiry for etcd root certificate -ca_etcd_expiry: "87600h" - -# Certificate authority for etcd certificates -ca_etcd_csr_cn: "Etcd" -ca_etcd_csr_key_algo: "rsa" -ca_etcd_csr_key_size: "2048" -ca_etcd_csr_names_c: "DE" -ca_etcd_csr_names_l: "The_Internet" -ca_etcd_csr_names_o: "Kubernetes" -ca_etcd_csr_names_ou: "BY" -ca_etcd_csr_names_st: "Bayern" # Expiry for Kubernetes API server root certificates -ca_k8s_apiserver_expiry: "87600h" +ca_expiry: "87600h" -# Certificate authority for Kubernetes API server -ca_k8s_apiserver_csr_cn: "Kubernetes" -ca_k8s_apiserver_csr_key_algo: "rsa" -ca_k8s_apiserver_csr_key_size: "2048" -ca_k8s_apiserver_csr_names_c: "DE" -ca_k8s_apiserver_csr_names_l: "The_Internet" -ca_k8s_apiserver_csr_names_o: "Kubernetes" -ca_k8s_apiserver_csr_names_ou: "BY" -ca_k8s_apiserver_csr_names_st: "Bayern" - -# CSR parameter for etcd certificate -etcd_csr_cn: "Etcd" -etcd_csr_key_algo: "rsa" -etcd_csr_key_size: "2048" -etcd_csr_names_c: "DE" -etcd_csr_names_l: "The_Internet" -etcd_csr_names_o: "Kubernetes" -etcd_csr_names_ou: "BY" -etcd_csr_names_st: "Bayern" - -# CSR parameter for Kubernetes API server certificate -k8s_apiserver_csr_cn: "Kubernetes" -k8s_apiserver_csr_key_algo: "rsa" -k8s_apiserver_csr_key_size: "2048" -k8s_apiserver_csr_names_c: "DE" -k8s_apiserver_csr_names_l: "The_Internet" -k8s_apiserver_csr_names_o: "Kubernetes" -k8s_apiserver_csr_names_ou: "BY" -k8s_apiserver_csr_names_st: "Bayern" - -# CSR parameter for the admin user -k8s_admin_csr_cn: "admin" -k8s_admin_csr_key_algo: "rsa" -k8s_admin_csr_key_size: "2048" -k8s_admin_csr_names_c: "DE" -k8s_admin_csr_names_l: "The_Internet" -k8s_admin_csr_names_o: "system:masters" # DO NOT CHANGE! -k8s_admin_csr_names_ou: "BY" -k8s_admin_csr_names_st: "Bayern" - -# CSR parameter for kubelet client certificates -k8s_worker_csr_key_algo: "rsa" -k8s_worker_csr_key_size: "2048" -k8s_worker_csr_names_c: "DE" -k8s_worker_csr_names_l: "The_Internet" -k8s_worker_csr_names_o: "system:nodes" # DO NOT CHANGE! -k8s_worker_csr_names_ou: "BY" -k8s_worker_csr_names_st: "Bayern" - -# CSR parameter for the kube-proxy client certificate -k8s_kube_proxy_csr_cn: "system:kube-proxy" # DO NOT CHANGE! -k8s_kube_proxy_csr_key_algo: "rsa" -k8s_kube_proxy_csr_key_size: "2048" -k8s_kube_proxy_csr_names_c: "DE" -k8s_kube_proxy_csr_names_l: "The_Internet" -k8s_kube_proxy_csr_names_o: "system:node-proxier" # DO NOT CHANGE! -k8s_kube_proxy_csr_names_ou: "BY" -k8s_kube_proxy_csr_names_st: "Bayern" - -# CSR parameter for the kube-controller-manager client certificate -k8s_controller_manager_csr_cn: "system:kube-controller-manager" # DO NOT CHANGE! -k8s_controller_manager_csr_key_algo: "rsa" -k8s_controller_manager_csr_key_size: "2048" -k8s_controller_manager_csr_names_c: "DE" -k8s_controller_manager_csr_names_l: "The_Internet" -k8s_controller_manager_csr_names_o: "system:kube-controller-manager" # DO NOT CHANGE! -k8s_controller_manager_csr_names_ou: "BY" -k8s_controller_manager_csr_names_st: "Bayern" - -# CSR parameter for the kube-scheduler client certificate -k8s_scheduler_csr_cn: "system:kube-scheduler" # DO NOT CHANGE! -k8s_scheduler_csr_key_algo: "rsa" -k8s_scheduler_csr_key_size: "2048" -k8s_scheduler_csr_names_c: "DE" -k8s_scheduler_csr_names_l: "The_Internet" -k8s_scheduler_csr_names_o: "system:kube-scheduler" # DO NOT CHANGE! -k8s_scheduler_csr_names_ou: "BY" -k8s_scheduler_csr_names_st: "Bayern" - -# CSR parameter for kube-controller-manager service account key pair. Used to generate and sign service account tokens. -k8s_controller_manager_sa_csr_cn: "service-accounts" -k8s_controller_manager_sa_csr_key_algo: "rsa" -k8s_controller_manager_sa_csr_key_size: "2048" -k8s_controller_manager_sa_csr_names_c: "DE" -k8s_controller_manager_sa_csr_names_l: "The_Internet" -k8s_controller_manager_sa_csr_names_o: "Kubernetes" -k8s_controller_manager_sa_csr_names_ou: "BY" -k8s_controller_manager_sa_csr_names_st: "Bayern" +k8s_csr: + master: + - name: "ca" + cn: "Kubernetes" + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "Kubernetes" + names_ou: "CA" + names_st: "Luxembourg" + - name: "etcd" + cn: "Etcd" + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "Kubernetes" + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" + - name: "apiserver" + cn: "Kubernetes" + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "Kubernetes" + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" + - name: "admin" + cn: "admin" + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "system:masters" # DO NOT CHANGE! + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" + - name: "kube-proxy" + cn: "system:kube-proxy" # DO NOT CHANGE! + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "system:node-proxier" # DO NOT CHANGE! + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" + - name: "kube-controller-manager" + cn: "system:kube-controller-manager" # DO NOT CHANGE! + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "system:kube-controller-manager" # DO NOT CHANGE! + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" + - name: "kube-scheduler" + cn: "system:kube-scheduler" # DO NOT CHANGE! + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "system:kube-scheduler" # DO NOT CHANGE! + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" + - name: "service-account" + cn: "service-accounts" + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "Kubernetes" + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" + worker: + name: "worker" + key_algo: "rsa" + key_size: "2048" + names_c: "BE" + names_l: "The_Internet" + names_o: "system:nodes" # DO NOT CHANGE! + names_ou: "{{ k8s_config_cluster_name }}" + names_st: "Luxembourg" etcd_cert_hosts: - 127.0.0.1 diff --git a/roles/kubernetes-ca/tasks/main.yml b/roles/kubernetes-ca/tasks/main.yml index 7edc032..458ee5f 100644 --- a/roles/kubernetes-ca/tasks/main.yml +++ b/roles/kubernetes-ca/tasks/main.yml @@ -1,13 +1,16 @@ --- +#- name: Display hostvars +# debug: var=hostvars + - name: Generate list of IP addresses and hostnames needed for Kubernetes API server certificate set_fact: tmpK8sHosts: | {% set comma = joiner(",") %} {% for item in groups["k8s_master"] -%} - {{ comma() }}{{ hostvars[item].private_ip }}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}} + {{ comma() }}{{ hostvars[item].private_ip }}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }} {%- endfor %} {% for item in groups["k8s_worker"] -%} - {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}} + {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }} {%- endfor %} {% for item in k8s_apiserver_cert_hosts -%} {{ comma() }}{{item}} @@ -25,13 +28,12 @@ debug: var=k8sHosts tags: - kubernetes-ca - - name: Generate list of IP addresses and hostnames needed for etcd certificate set_fact: tmpEtcdHosts: | {% set comma = joiner(",") %} {% for item in groups["k8s_etcd"] -%} - {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}} + {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{hostvars[item]["public_ip"]}}{{ comma() }}{{ hostvars[item].ansible_hostname }} {%- endfor %} {% for item in etcd_cert_hosts -%} {{ comma() }}{{item}} @@ -63,110 +65,39 @@ tags: - kubernetes-ca -- name: Create etcd CA configuration file +- name: Create CA configuration file template: - src: "ca-etcd-config.json.j2" - dest: "{{k8s_ca_conf_directory}}/ca-etcd-config.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - - kubernetes-ca-etcd - -- name: Create Kubernetes API server CA configuration file - template: - src: "ca-k8s-apiserver-config.json.j2" - dest: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-config.json" + src: "ca-config.json.j2" + dest: "{{k8s_ca_conf_directory}}/ca-config.json" owner: "{{k8s_ca_certificate_owner}}" group: "{{k8s_ca_certificate_group}}" mode: 0600 tags: - kubernetes-ca -- name: Copy the etcd CA certificate request file (CSR) +- name: Create the CSR files template: - src: "ca-etcd-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/ca-etcd-csr.json" + src: "csr.json.j2" + dest: "{{k8s_ca_conf_directory}}/{{ item.name }}-csr.json" owner: "{{k8s_ca_certificate_owner}}" group: "{{k8s_ca_certificate_group}}" mode: 0600 tags: - kubernetes-ca - - kubernetes-ca-etcd + loop: "{{ k8s_csr.master|flatten(levels=1)}}" -- name: Copy the Kubernetes API server CA certificate request file (CSR) - template: - src: "ca-k8s-apiserver-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - -- name: Generate the etcd CA and private key - shell: cfssl gencert -initca ca-etcd-csr.json | cfssljson -bare ca-etcd +- name: Generate CA and private key + shell: cfssl gencert -initca ca-csr.json | cfssljson -bare ca args: chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/ca-etcd-key.pem" - tags: - - kubernetes-ca - - kubernetes-ca-etcd - -- name: Generate the Kubernetes API server CA and private key - shell: cfssl gencert -initca ca-k8s-apiserver-csr.json | cfssljson -bare ca-k8s-apiserver - args: - chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-key.pem" + creates: "{{k8s_ca_conf_directory}}/ca-key.pem" tags: - kubernetes-ca -- name: Create the etcd key CSR file - template: - src: "cert-etcd-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-etcd-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - - kubernetes-ca-etcd - -- name: Create the Kubernetes API server key CSR file - template: - src: "cert-k8s-apiserver-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-k8s-apiserver-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - -- name: Create the admin user key CSR file - template: - src: "cert-admin-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-admin-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - -- name: Create the kube-proxy key CSR file - template: - src: "cert-k8s-proxy-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-k8s-proxy-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - -- name: Create the worker key CSR files +- name: Create the worker CSR files template: src: "cert-worker-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-{{item}}-csr.json" + dest: "{{k8s_ca_conf_directory}}/{{item}}-csr.json" owner: "{{k8s_ca_certificate_owner}}" group: "{{k8s_ca_certificate_group}}" mode: 0600 @@ -177,63 +108,34 @@ tags: - kubernetes-ca -- name: Create the kube-controller-manager key CSR file - template: - src: "cert-k8s-controller-manager-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - -- name: Create the kube-controller-manager service-account key CSR file - template: - src: "cert-k8s-controller-manager-sa-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-sa-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - -- name: Create the kube-scheduler key CSR file - template: - src: "cert-k8s-scheduler-csr.json.j2" - dest: "{{k8s_ca_conf_directory}}/cert-k8s-scheduler-csr.json" - owner: "{{k8s_ca_certificate_owner}}" - group: "{{k8s_ca_certificate_group}}" - mode: 0600 - tags: - - kubernetes-ca - - name: Generate TLS certificate for etcd - shell: "cfssl gencert -ca=ca-etcd.pem -ca-key=ca-etcd-key.pem -config=ca-etcd-config.json -hostname={{etcdHosts}} -profile=etcd cert-etcd-csr.json | cfssljson -bare cert-etcd" + shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{etcdHosts}} -profile=kubernetes etcd-csr.json | cfssljson -bare etcd" args: chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/cert-etcd-key.pem" + creates: "{{k8s_ca_conf_directory}}/etcd-key.pem" tags: - kubernetes-ca - - kubernetes-ca-etcd + - name: Generate TLS certificate for Kubernetes API server - shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -hostname={{k8sHosts}} -profile=kubernetes cert-k8s-apiserver-csr.json | cfssljson -bare cert-k8s-apiserver" + shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{k8sHosts}} -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver" args: chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/cert-k8s-apiserver-key.pem" + creates: "{{k8s_ca_conf_directory}}/apiserver-key.pem" tags: - kubernetes-ca -- name: Generate TLS certificate for admin user - shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-admin-csr.json | cfssljson -bare cert-admin" +- name: Generate TLS certificates + shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes {{item.name}}-csr.json | cfssljson -bare {{item.name}}" args: chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/cert-admin-key.pem" + creates: "{{k8s_ca_conf_directory}}/{{item.name}}-key.pem" tags: - kubernetes-ca + loop: "{{ k8s_csr.master|flatten(levels=1)}}" - name: Generate TLS certificates for Kubernetes worker hosts - shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes cert-{{item}}-csr.json | cfssljson -bare cert-{{item}}" + shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes {{item}}-csr.json | cfssljson -bare {{item}}" args: chdir: "{{k8s_ca_conf_directory}}" creates: "{{k8s_ca_conf_directory}}/cert-{{item}}-key.pem" @@ -241,35 +143,3 @@ - k8s_worker tags: - kubernetes-ca - -- name: Generate TLS certificate for kube-proxy - shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-proxy-csr.json | cfssljson -bare cert-k8s-proxy" - args: - chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/cert-k8s-proxy-key.pem" - tags: - - kubernetes-ca - -- name: Generate TLS certificate for kube-controller-manager - shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-controller-manager-csr.json | cfssljson -bare cert-k8s-controller-manager" - args: - chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-key.pem" - tags: - - kubernetes-ca - -- name: Generate TLS certificate for kube-controller-manager service account - shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-controller-manager-sa-csr.json | cfssljson -bare cert-k8s-controller-manager-sa" - args: - chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-sa-key.pem" - tags: - - kubernetes-ca - -- name: Generate TLS certificate for kube-scheduler - shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-scheduler-csr.json | cfssljson -bare cert-k8s-scheduler" - args: - chdir: "{{k8s_ca_conf_directory}}" - creates: "{{k8s_ca_conf_directory}}/cert-k8s-scheduler-key.pem" - tags: - - kubernetes-ca diff --git a/roles/kubernetes-ca/templates/ca-k8s-apiserver-config.json.j2 b/roles/kubernetes-ca/templates/ca-config.json.j2 similarity index 70% rename from roles/kubernetes-ca/templates/ca-k8s-apiserver-config.json.j2 rename to roles/kubernetes-ca/templates/ca-config.json.j2 index 306db5f..965406d 100644 --- a/roles/kubernetes-ca/templates/ca-k8s-apiserver-config.json.j2 +++ b/roles/kubernetes-ca/templates/ca-config.json.j2 @@ -1,7 +1,7 @@ { "signing": { "default": { - "expiry": "{{ ca_k8s_apiserver_expiry }}" + "expiry": "{{ ca_expiry }}" }, "profiles": { "kubernetes": { @@ -11,7 +11,7 @@ "server auth", "client auth" ], - "expiry": "{{ ca_k8s_apiserver_expiry }}" + "expiry": "{{ ca_expiry }}" } } } diff --git a/roles/kubernetes-ca/templates/ca-etcd-config.json.j2 b/roles/kubernetes-ca/templates/ca-etcd-config.json.j2 deleted file mode 100644 index b5f4a39..0000000 --- a/roles/kubernetes-ca/templates/ca-etcd-config.json.j2 +++ /dev/null @@ -1,18 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "{{ ca_etcd_expiry }}" - }, - "profiles": { - "etcd": { - "usages": [ - "signing", - "key encipherment", - "server auth", - "client auth" - ], - "expiry": "{{ ca_etcd_expiry }}" - } - } - } -} diff --git a/roles/kubernetes-ca/templates/ca-etcd-csr.json.j2 b/roles/kubernetes-ca/templates/ca-etcd-csr.json.j2 deleted file mode 100644 index 817e631..0000000 --- a/roles/kubernetes-ca/templates/ca-etcd-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{ca_etcd_csr_cn}}", - "key": { - "algo": "{{ca_etcd_csr_key_algo}}", - "size": {{ca_etcd_csr_key_size}} - }, - "names": [ - { - "C": "{{ca_etcd_csr_names_c}}", - "L": "{{ca_etcd_csr_names_l}}", - "O": "{{ca_etcd_csr_names_o}}", - "OU": "{{ca_etcd_csr_names_ou}}", - "ST": "{{ca_etcd_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/ca-k8s-apiserver-csr.json.j2 b/roles/kubernetes-ca/templates/ca-k8s-apiserver-csr.json.j2 deleted file mode 100644 index 608b2b5..0000000 --- a/roles/kubernetes-ca/templates/ca-k8s-apiserver-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{ca_k8s_apiserver_csr_cn}}", - "key": { - "algo": "{{ca_k8s_apiserver_csr_key_algo}}", - "size": {{ca_k8s_apiserver_csr_key_size}} - }, - "names": [ - { - "C": "{{ca_k8s_apiserver_csr_names_c}}", - "L": "{{ca_k8s_apiserver_csr_names_l}}", - "O": "{{ca_k8s_apiserver_csr_names_o}}", - "OU": "{{ca_k8s_apiserver_csr_names_ou}}", - "ST": "{{ca_k8s_apiserver_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-admin-csr.json.j2 b/roles/kubernetes-ca/templates/cert-admin-csr.json.j2 deleted file mode 100644 index d3de6f7..0000000 --- a/roles/kubernetes-ca/templates/cert-admin-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{k8s_admin_csr_cn}}", - "key": { - "algo": "{{k8s_admin_csr_key_algo}}", - "size": {{k8s_admin_csr_key_size}} - }, - "names": [ - { - "C": "{{k8s_admin_csr_names_c}}", - "L": "{{k8s_admin_csr_names_l}}", - "O": "{{k8s_admin_csr_names_o}}", - "OU": "{{k8s_admin_csr_names_ou}}", - "ST": "{{k8s_admin_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-etcd-csr.json.j2 b/roles/kubernetes-ca/templates/cert-etcd-csr.json.j2 deleted file mode 100644 index fde0ec8..0000000 --- a/roles/kubernetes-ca/templates/cert-etcd-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{etcd_csr_cn}}", - "key": { - "algo": "{{etcd_csr_key_algo}}", - "size": {{etcd_csr_key_size}} - }, - "names": [ - { - "C": "{{etcd_csr_names_c}}", - "L": "{{etcd_csr_names_l}}", - "O": "{{etcd_csr_names_o}}", - "OU": "{{etcd_csr_names_ou}}", - "ST": "{{etcd_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-k8s-apiserver-csr.json.j2 b/roles/kubernetes-ca/templates/cert-k8s-apiserver-csr.json.j2 deleted file mode 100644 index 7f8c557..0000000 --- a/roles/kubernetes-ca/templates/cert-k8s-apiserver-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{k8s_apiserver_csr_cn}}", - "key": { - "algo": "{{k8s_apiserver_csr_key_algo}}", - "size": {{k8s_apiserver_csr_key_size}} - }, - "names": [ - { - "C": "{{k8s_apiserver_csr_names_c}}", - "L": "{{k8s_apiserver_csr_names_l}}", - "O": "{{k8s_apiserver_csr_names_o}}", - "OU": "{{k8s_apiserver_csr_names_ou}}", - "ST": "{{k8s_apiserver_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-k8s-controller-manager-csr.json.j2 b/roles/kubernetes-ca/templates/cert-k8s-controller-manager-csr.json.j2 deleted file mode 100644 index 99411a7..0000000 --- a/roles/kubernetes-ca/templates/cert-k8s-controller-manager-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{k8s_controller_manager_csr_cn}}", - "key": { - "algo": "{{k8s_controller_manager_csr_key_algo}}", - "size": {{k8s_controller_manager_csr_key_size}} - }, - "names": [ - { - "C": "{{k8s_controller_manager_csr_names_c}}", - "L": "{{k8s_controller_manager_csr_names_l}}", - "O": "{{k8s_controller_manager_csr_names_o}}", - "OU": "{{k8s_controller_manager_csr_names_ou}}", - "ST": "{{k8s_controller_manager_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-k8s-controller-manager-sa-csr.json.j2 b/roles/kubernetes-ca/templates/cert-k8s-controller-manager-sa-csr.json.j2 deleted file mode 100644 index 8155a12..0000000 --- a/roles/kubernetes-ca/templates/cert-k8s-controller-manager-sa-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{k8s_controller_manager_sa_csr_cn}}", - "key": { - "algo": "{{k8s_controller_manager_sa_csr_key_algo}}", - "size": {{k8s_controller_manager_sa_csr_key_size}} - }, - "names": [ - { - "C": "{{k8s_controller_manager_sa_csr_names_c}}", - "L": "{{k8s_controller_manager_sa_csr_names_l}}", - "O": "{{k8s_controller_manager_sa_csr_names_o}}", - "OU": "{{k8s_controller_manager_sa_csr_names_ou}}", - "ST": "{{k8s_controller_manager_sa_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-k8s-proxy-csr.json.j2 b/roles/kubernetes-ca/templates/cert-k8s-proxy-csr.json.j2 deleted file mode 100644 index 49f67be..0000000 --- a/roles/kubernetes-ca/templates/cert-k8s-proxy-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{k8s_kube_proxy_csr_cn}}", - "key": { - "algo": "{{k8s_kube_proxy_csr_key_algo}}", - "size": {{k8s_kube_proxy_csr_key_size}} - }, - "names": [ - { - "C": "{{k8s_kube_proxy_csr_names_c}}", - "L": "{{k8s_kube_proxy_csr_names_l}}", - "O": "{{k8s_kube_proxy_csr_names_o}}", - "OU": "{{k8s_kube_proxy_csr_names_ou}}", - "ST": "{{k8s_kube_proxy_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-k8s-scheduler-csr.json.j2 b/roles/kubernetes-ca/templates/cert-k8s-scheduler-csr.json.j2 deleted file mode 100644 index 52638d2..0000000 --- a/roles/kubernetes-ca/templates/cert-k8s-scheduler-csr.json.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "{{k8s_scheduler_csr_cn}}", - "key": { - "algo": "{{k8s_scheduler_csr_key_algo}}", - "size": {{k8s_scheduler_csr_key_size}} - }, - "names": [ - { - "C": "{{k8s_scheduler_csr_names_c}}", - "L": "{{k8s_scheduler_csr_names_l}}", - "O": "{{k8s_scheduler_csr_names_o}}", - "OU": "{{k8s_scheduler_csr_names_ou}}", - "ST": "{{k8s_scheduler_csr_names_st}}" - } - ] -} diff --git a/roles/kubernetes-ca/templates/cert-worker-csr.json.j2 b/roles/kubernetes-ca/templates/cert-worker-csr.json.j2 index 6fbd88e..e707575 100644 --- a/roles/kubernetes-ca/templates/cert-worker-csr.json.j2 +++ b/roles/kubernetes-ca/templates/cert-worker-csr.json.j2 @@ -1,16 +1,16 @@ { "CN": "system:node:{{hostvars[workerHost]['ansible_hostname']}}", "key": { - "algo": "{{k8s_worker_csr_key_algo}}", - "size": {{k8s_worker_csr_key_size}} + "algo": "{{k8s_csr.worker.key_algo}}", + "size": {{k8s_csr.worker.key_size}} }, "names": [ { - "C": "{{k8s_worker_csr_names_c}}", - "L": "{{k8s_worker_csr_names_l}}", - "O": "{{k8s_worker_csr_names_o}}", - "OU": "{{k8s_worker_csr_names_ou}}", - "ST": "{{k8s_worker_csr_names_st}}" + "C": "{{k8s_csr.worker.names_c}}", + "L": "{{k8s_csr.worker.names_l}}", + "O": "{{k8s_csr.worker.names_o}}", + "OU": "{{k8s_csr.worker.names_ou}}", + "ST": "{{k8s_csr.worker.names_st}}" } ] } diff --git a/roles/kubernetes-ca/templates/csr.json.j2 b/roles/kubernetes-ca/templates/csr.json.j2 new file mode 100644 index 0000000..b158c99 --- /dev/null +++ b/roles/kubernetes-ca/templates/csr.json.j2 @@ -0,0 +1,16 @@ +{ + "CN": "{{item.cn}}", + "key": { + "algo": "{{item.key_algo}}", + "size": {{item.key_size}} + }, + "names": [ + { + "C": "{{item.names_c}}", + "L": "{{item.names_l}}", + "O": "{{item.names_o}}", + "OU": "{{item.names_ou}}", + "ST": "{{item.names_st}}" + } + ] +}